Windows XP Remote Assistance

Date: Aug 9, 2002

Sample Chapter is provided courtesy of Prentice Hall Professional.

Return to the article

This chapter covers

• What is Remote Assistance?

• Requirements for Remote Assistance

• Sending a Remote Assistance call

• Accepting a Remote Assistance call

• Security issues surrounding Remote Assistance

• Common errors that may occur when using Remote Assistance

Overview

As a network administrator, technical support can often take up a lot of your time. Until now, supporting users usually meant purchasing multiple copies of Symantec's very expensive PC-Anywhere software. Microsoft has changed all this with its new Remote Assistance feature. Remote Assistance allows support technicians to provide visual, remote technical support. By adding features that you have always wanted and expected in an operating system, Microsoft has tried to create the total operating system "experience" as they like to call it. More importantly, since Windows XP introduces several free software applications that formerly required you to purchase expensive third-party utilities, it can pay for itself when upgrading your network from older operating systems.

The addition of Windows XP Remote Assistance revolutionizes the technical support field. With a few simple commands, the technician has full access to the user's computer and sees a poorly configured Internet Explorer. However, remote access does have the potential for frightful security breaches. Though designed as an administration tool, the Remote Assistance program acts like Trojan horses used by hackers to gain unauthorized access to a computer. All it takes is one misconfigured 'Invitation' to fall into the wrong hands and the hacker owns the originating computer.

Not to be confused with Remote Desktop, which only allows one active session at a time per computer (or license), Remote Assistance will allow both the owner and the remote user to control the computer at the same time. Options such as chatting via keyboard or microphone show that Remote Assistance was designed more for technical support than for remote administration. The ability for the local user and remote user to communicate while viewing the same desktop makes technical support easy, and even pleasurable – if you are like the majority of network administrators who enjoy taking the time to help their users.

During the remainder of this chapter, the requesting party will be the 'Novice' and the assisting party will be the 'Helper'. We adopt the terms used by Microsoft in the Remote Assistance program.

Requirements for Remote Assistance

There are several requirements that are needed by both the Helper and the Novice in order for Remote Assistance to work. These requirements include the following:

• The Helper and the Novice computers must both be running Windows XP

• In order to receive an acceptance notice of the invitation, the Helper must be connected to the Internet

• Depending on the Invitation delivery method, the Novice will need either Windows Messenger, a MAPI Email program, or a means of delivery for a file

• If the Helper or Novice is behind a firewall, the firewall will need to be configured to allow Remote Assistance traffic via outbound TCP port 3398

• Proper configuration of Remote Desktop properties must be set if remote control is required

• A strong password is needed by the Helper to establish the initial connection to the Novice

Although the requirements are few, a connection can be difficult to create if either the Helper or Novice is part of a corporate network. End-users behind a corporate firewall may require help in setting up remote assistance. This is due to the level of security needed to ensure data integrity in the enterprise. If Remote Assistance is necessary and your users cannot establish a connection due to current firewall settings, you will need to make sure that the firewall allows port (3398 Outbound TCP) from the client in order to successfully establish a connection.

Using Remote Assistance

Once you meet all the requirements for Remote Assistance to be possible, it is time to make the connection. Because security is such an important issue when dealing with the remote control of a computer, the Remote Assistance program necessitates more than just a simple point and click approach to establishing the connection. There are several checkpoints along the way that give the Novice (owner) the option of preventing the connection from being made.

Sending the Invitation

The first step in setting up a Remote Assistance session is to send a call for help.

• Click on Start > Help and Support, which will open a window similar to figure 4-1.

  Figure 4-1: Windows XP Help and Support Center

  
  

  TIP

  The Help and Support Center is new to Windows XP. It is designed to help the user easily and quickly access the many different aspects of Help available in the Windows OS.

• Click on the link on the upper left Invite a friend to connect to your computer with Remote Assistance

• Select the type of Invitation you wish to use to send to the technician

  • Windows Messenger: To use this option the Helper and Novice must have the MSN Messenger installed and have an active and open connection between the two messengers

  • Email: To use this option, the Novice and Helper must have a MAPI based email program on their computers (Outlook Express, Outlook)

  • File: To use this option, the Novice and Helper must have a means of delivery for the invitation file that will be created

  Figure 4-2: The Remote Assistance Invitation methods

  
  

File Invitation

• Enter a name

  TIP

  You should never use your real name when sending a Invitation. A pseudonym adds an extra layer of protection in case your Invitation is hijacked. Providing your real identity will only help a hacker find your computer more quickly.

• Choose the time limitation

  TIP

  For security reasons, it is important to choose a limited time length availability. The shortest you can tolerate (while balancing convenience) is the best.

  Figure 4-3: Identity and Expiration options for Invitation

  
  

• Enter a strong password (i.e. any word not found in a dictionary, greater that 6 characters, and includes upper case, lowercase, numerical, and one of the following: !@#$%^&*()) that will be required when the Remote Assistance connection is made. You will need to provide the password to the Helper via another means of communication.

  CAUTION

  Although you can disable the password option, it is not recommended. This is in case the Invitation ends up in the wrong person's hands. Without a strong password, the Novice computer could be easily breached.

  Figure 4-4: Remote Assistance password options window

  
  

• Click Save Invitation to store the Invitation file on your hard drive or network

Email Invitation

• Enter a name and message to be included in the Invitation email

  Figure 4-5: Remote Invitation Email Message

  
  

• You will be asked by Microsoft Outlook to allow the Remote Assistance program to check if the entered email address is in your address book. Click Yes to pass this.

  TIP

  Because of the increase in popularity of Microsoft Outlook address book as a vector for computer viruses, Windows XP will verify that the Remote Assistance program is permitted to access the address book.

  Figure 4-6: Microsoft Outlook Express's Warning Message

  
  

  Figure 4-7: Microsoft Outlook alert dialog box

• Click Send Invitation

Chat Invitation

• Open Microsoft Messenger chat program

• Click Tools > Ask for Remote Assistance and click on the user you want to send the Invitation.

  Figure 4-8: Sending Invitation via MSN Messenger Service

  
  

• If the user is not listed, select Other... and enter the email address of the helper

  Figure 4-9: Entering messenger address for Invitation

• Enter the email address of the user to invite and click OK

• Enter a message and click the Invite button

  Figure 4-10: Sending the Remote Invitation via chat

  
  

Tracking Invitations

When you send an invitation from the Help and Support Center, it is logged and stored on your computer. This is to provide a means for Windows XP to verify that any incoming Remote Assistance connection request is valid. Windows XP also keeps tabs on any unanswered Invitations in order to allow you the ability to Expire, Resend, Delete, or learn more about the Details of the Invitation.

To access this list, you need to perform the following steps:

• Click Start > Help and Support > Invite a friend to connect to your computer with Remote Assistance > View Invitation Status

  Figure 4-11: Viewing Remote Assistance invitation statuses

  
  

• Select one of the Invitation Options

  • Details: This option provides you will all the information about the Invitation. It tells you how the Invitation was sent and to whom it was sent if applicable. It also provides you with the expiration time, open status, password status, and message included.

    Figure 4-12: Remote Assistance Invitation Details

    
    

  • Expire: This will simply change the status of the Invitation to 'Expired'

  • Resend: In case the recipient never received the Invitation, or it was sent to the wrong location, this option allows you an easy way to recreate the Invitation

  • Delete: As you can guess, this allows you to delete the Invitation. You may get a warning if the Invitation is still in 'Open' status.

Accepting the Remote Assistance Call

The first stage of security in Remote Assistance is the acceptance stage of the request for help. The request can only come via a file or email message.

There are three main ways to receive an invitation. Each of these will be covered in the following pages.

• Chat: When an invitation is sent via a Windows Messaging program, the requested party must be online. In addition, the party must accept the Invitation. Figure 4-13 illustrates the message that arrives bearing the invitation as a link. To accept, click the highlighted Accept link. This will send a message back to the initiating computer to start the Remote Assistance program.

  Figure 4-13: Receiving Remote Assistance request

  
  

• Email: When you receive an email message containing a Remote Assistance request, the actual request is included as an attachment. The attached file is the same file that would have been created if the requesting party choose to manually create a file and send it to the remote party. However, there is a message that is included by default with the email message that outlines some of the issues surrounding Remote Assistance. Included in the message is a personal message from the sender. Figure 14 provides and example of a real request for Remote Assistance sent via email.

  CAUTION

  As the initial instant message dialog warns, you should never give out password or credit card information via a chat program. This is because you never know who is on the other end, and your information could be easily 'sniffed', or captured as it passes on the Internet.

  • Open the e-mail

    Figure 4-14:

    
    

    CAUTION

    The email Remote Assistance comes as an attachment that must be downloaded to the computer and executed. Unless you are sure the request is legitimate and are expecting it, you should be wary about using it. It could be a virus or Trojan in disguise.

    Figure 4-15: Open Attachment Warning for Remote Assistance file

    
    

  • Upon execution of the Remote Assistance invitation, a dialog with the sender's information will be displayed. If there is no password option, the sender did not require a password in the request for help. Otherwise, enter the password and click Yes. This will start the initiation of the connection. This is the second stage of security that is built into Remote Assistance.

    CAUTION

    The Second line of security defense that Remote Assistance uses is authorization. The file and email method both can require a password to make the connection. The chat method indirectly requires authentication because the request is made from a Windows Messenger account that itself requires authentication.

    Figure 4-16: Remote Assistance Helper side connection verification

    
    

    Figure 4-17: Remote Assistance Helper connecting screen

  • File: Accepting the file method only requires that the remote party receives the Remote Assistance file and that they double click it. This will open the same window as Figure 4-17.

Using the Remote Assistance Connection

At this point in the connection process, two security checkpoints have been crossed. On the one hand, the explicit setup and delivery of the request acts as a security filter to limit the session time and permissions on the requesting computer. On the other hand, the password option adds further security.

The next security checkpoint is the required active approval of the Remote Assistance connection by the Novice. Finally, the most critical security checkpoint is that needed to gain full control of the Novice's computer. This checkpoint is similar to the third in that it also requires an active acceptance of a request from the helper before control of the computer is passed to the helper.

To start the Remote Assistance session:

1. Helper: Start the session by clicking on the file or the link sent by the Novice

2. Novice: Accept the Remote Assistance connection

   Figure 4-18: Accepted Chat invitation on Novice computer

   Figure 4-19: Accepted Remote Assistance file invitation on Novice computer

   
   

3. Session is Initiated and Remote Assistance screen is loaded on helper's computer; connection is established

   Figure 4-20: The Remote Assistance Window while waiting for authorization from Novice

   
   

4. Helper and Novice: Communicate via chat program that is built into Remote Assistance program

   Figure 4-21: Remote Assistance screen on helpers computer during session

   
   

   Figure 4-22: Remote Assistance chat session (Left is helper screen /Right is Novice Screen)

   
   

5. Helper: If the problem can not be solved without remote control, the helper can initiate a command to give the helper remote control of the Novice computer

6. Novice: Accepts or declines the request for Remote Control

   Figure 4-23: Remote Assistance remote control warning

   
   

   CAUTION

   Users should be educated to exercise extreme caution before giving someone else remote control over their computer.

7. Helper: Close the Remote Assistance – Web Page Dialog window and proceed

   Figure 4-24: Remote Assistance dialog popup informing helper of acceptance of control request

8. Helper or Novice: When the Novice's problem has been solved, click the Disconnect button to end the session

   Figure 4-25: Remote Assistance control ended alert

As you can see, the Remote Assistance program is fairly straightforward. The security considerations are well thought out and with the proper configuration will help maintain a secure connection.

The next segment offers pointers that will keep your Remote Assistance sessions secure.

Remote Assistance and Security Issues

Allowing access to files and folder on a computer is a key part of any network. To do this securely, file servers are often setup that utilize the NTFS file system; this enables an administrator to control who is and who is not allow access to data on the server. The policy can be as liberal as allowing a user full control of all files or as limiting as allowing a user only read access to one file on the server.

Windows XP utilizes NTFS and file encryption. However, all it takes is one user account with elevated privileges in combination with Remote Assistance and all the effort spent in securing files is wasted. With Remote Assistance, a Helper has full control of all the files that the Novice has access to. While it true that a Helper has to pass four different security checkpoints before they can get remote control of the computer, once in it only takes a few seconds of unmonitored control and a Helper can make disastrous changes to the computer such as installing a permanent backdoor.

The following is a list of warnings to give to your users who employ the Remote Assistance feature of Windows XP:

• Never open a Remote Assistance request file without being 100% positive of its origin. It is a simple thing for a hacker to create a fake program that uses the Remote Assistance icon. If a message with the Remote Assistance icon shows up in your mail box with a message from someone you know, it may be very tempting to double click it to receive. Do not do this wantonly, as it could be a Trojan or virus that uses the same Remote Assistance icon.

• Never send a Remote Assistance Invitation without a password. This is like sending someone a post card in the mail with an announcement of your intended vacation and then leaving your house unlocked. If the message, or file, ended up in the wrong hands, a malicious person could hijack the invitation and attempt to abuse the Helper status.

• Be sure to use a strong password. The Internet is full of hacker programs that can be used to guess your password. To prevent a successful guess, you must create a password greater than six letters, using at least one capital letter and one number (not in the first or last letter) with an optional non-alphanumeric character (eg. hApp1ne&&, iLov3y*u). Increasing the length and varying the characters will significantly decrease the chance that your password is guessed.

• Reduce the Remote Assistance Invitation time limit to as short as possible. By reducing the time window, you are also reducing the chance that your invitation is abused. The less time a hacker has to exploit the connection, the less chance you have of being hacked.

• Be completely sure to whom who you are giving control. Script kiddies (pre-hackers) gain bragging rights by "owning" more computers than their friends. This makes it worth their while to attempt to socially engineer a session from you.

• Never enable Remote Assistance on a security sensitive computer. Any computer that contains mission critical data should not be permitted to accept remote assistance calls. This facilitates the potential for a security breach. If assistance is necessary, an onsite support specialist with the proper clearance should be employed.

By keeping these few points in mind, you can increase the security of your Remote Desktop sessions. However, there are plenty of other problems that can arise from poorly configured settings or network connection issues. The next segment will cover several of the most common errors that a user could see and will suggest ways to fix the problems.

Troubleshooting Remote Assistance

Remote assistance can be problematic for numerous reasons. The following will break down the most common problems in to categories and will provide a starting place when looking for solutions. Users should be educated on these issues.

1. Network Issues:

   • No connectivity: If a connection cannot be made between the Novice and Helper, there are several components to look at.

     • Firewall – If there is a firewall, the Remote Assistance connection may not be possible due to the current security policy. Check with your friendly Network Administrator to see if it is within the security policy to allow a Remote Assistance connection.

       Figure 4-26:

     • Network Down – As with all networks, it is possible that yours is down. You can test this by trying to make a connection via the Windows Messaging service.

   • Slow connectivity: If the connection between the Novice and Helper is lagging, there is not much that can be done. Fundamentally, it will be due to inadequate bandwidth. Whether as result of an overloaded network or a low bandwidth connection, there is not much that can be done other than to demote the audio settings if they are enabled. This setting is adjusted using the Settings button on the Remote Assistance window on either the Novice or Helper side. In addition, you can ensure that all other Internet based programs are closed or disabled.

     Figure 4-27: Adjusting the Audio quality of the Remote Assistance connection

     
     

2. Misconfiguration Issues:

   • Remote Control Fails – If you cannot establish a Remote Control session but you know that you are connected, you will need to ensure that the Remote Desktop settings are correct by right clicking on My Computer > Properties > Remote > Remote Desktop frame and ensure that the Allow users to connect remotely to this computer option is checked.

     Figure 4-28: Remote Desktop properties windows

     
     

   • Miscellaneous Errors – If the settings for Remote Desktop are correct, other possible causes for a rejected connection are as follows:

     • The clock settings do not match or the time limit has expired. Try to resend the Invitation and verify that the computer clocks match and that the date is correct.

       Figure 4-29:

     • Account not permitted to connect – Verify that the account has connect privileges under the Remote Desktop settings previously mentioned.

       Figure 4-30:

     • File Error - If the file is already open or is corrupt, the Novice will have to resend the invitation

       Figure 4-31:

Summary

The new Windows XP Remote Assistance feature has the potential to revolutionize the technical support industry. The program is intuitive and powerful. However, with this increase in power there is a corresponding need for an increase in security. By educating users to configure the Novice computer to accept only those requests that are permitted and to maintain control over Remote Control permissions, you can help users maintain data integrity. The trickiest part of Remote Assistance for end-users will be to avoid spoofing or social engineering attempts. A hacker could easily trick a Novice user into allowing a connection and could thus gain unauthorized access to a network. If you or your employees previously have fallen for cleverly worded e-mails carrying viruses, you may become prey for devious hackers sending false invitations. Educate yourself and your employees not to accept unsolicited invitations.

© 2025 Pearson Education, Informit. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240